Vulnerability Details : CVE-2020-14332
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.
Exploit prediction scoring system (EPSS) score for CVE-2020-14332
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 14 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-14332
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
|
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
Red Hat, Inc. |
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2020-14332
-
The product does not neutralize or incorrectly neutralizes output that is written to logs.Assigned by: secalert@redhat.com (Primary)
-
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Assigned by: nvd@nist.gov (Secondary)
References for CVE-2020-14332
-
https://github.com/ansible/ansible/pull/71033
copy - redact 'content' from invocation in check mode by s-hertel · Pull Request #71033 · ansible/ansible · GitHubPatch;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-4950
Debian -- Security Information -- DSA-4950-1 ansibleThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332
1857805 – (CVE-2020-14332) CVE-2020-14332 Ansible: module_args does not censor properly in --check modeIssue Tracking;Vendor Advisory
Products affected by CVE-2020-14332
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*